system, computer program product, and method embodiments for communication between a kernel operational on a storage subsystem and a key manager (km) through a hardware management console (hmc) to provide encryption support are provided. In one embodiment, an event request is initiated by the kernel to the km to execute an event flow. Pursuant to a communication request by the kernel to the hmc, a socket of the hmc is opened along a communication path between the km and the kernel according to an event flow type selected by the km for the event flow. Pursuant to a data request by the kernel to the km, data including a data payload is sent by the km to the kernel, the data payload corresponding to the selected event flow type.
|
1. An method of communication, using a processor device, between a kernel operational on a storage subsystem and a key manager (km) through a hardware management console (hmc) to provide encryption support, comprising:
initiating an event request by the kernel to the km to execute an event flow;
opening a socket of the hmc along a communication path between the km and the kernel; and
pursuant to a data request by the kernel to the km, sending data including a data payload by the km to the kernel to provide the encryption support, the data payload corresponding to an event flow suborder type selected by the kernel for the event flow.
27. A method of manufacturing a system for communication, using a processor device, between a kernel operational on a storage subsystem and a key manager (km) between a hardware management console (hmc) to provide encryption support, comprising:
providing the kernel operable by the processor device, wherein the kernel:
initiates an event request by the kernel to the km to execute an event flow,
opens a socket of the hmc along a communication path between the km and the kernel, and
provides a data request to the km, wherein pursuant to the data request, data including a data payload is sent by the km to the kernel to provide the encryption support, the data payload corresponding to an event flow suborder type selected by the kernel for the event flow.
10. A system for communication, using a processor device, between components of a storage subsystem to provide encryption support, comprising:
the processor device,
a kernel operational on the storage subsystem operable by the processor device,
a key manager (km) in communication with the kernel, and
a hardware management console (hmc) in communication between the km and the kernel, wherein the kernel:
initiates an event request by the kernel to the km to execute an event flow,
opens a socket of the hmc along a communication path between the km and the kernel, and
provides a data request to the km, wherein pursuant to the data request, data including a data payload is sent by the km to the kernel to provide the encryption support, the data payload corresponding to an event flow suborder type selected by the kernel for the event flow.
19. A computer program product for communication between a kernel operational on a storage subsystem and a key manager (km) through a hardware management console (hmc) to provide encryption support, the computer program product comprising a non-transitory computer-readable storage medium having computer-readable program code portions stored therein, the computer-readable program code portions comprising:
a first executable portion that initiates an event request by the kernel to the km to execute an event flow;
a second executable portion that opens a socket of the hmc alone a communication path between the km and the kernel; and
a third executable portion that provides a data request by the kernel to the km, wherein pursuant to the data request, data including a data payload is sent by the km to the kernel to provide the encryption support, the data payload corresponding to an event flow suborder type selected by the kernel for the event flow.
2. The method of
3. The method of
4. The method of
6. The method of
7. The method of
8. The method of
9. The method of
11. The system of
12. The system of
13. The system of
14. The system of
15. The system of
16. The system of
17. The system of
18. The system of
20. The computer program product of
21. The computer program product of
22. The computer program product of
23. The computer program product of
24. The computer program product of
25. The computer program product of
and selects at least one of the hmc and the km by the kernel to send at least one of the event request, communication request, and data request of an available plurality of hmcs and kms in the storage subsystem.
26. The computer program product of
28. The method of manufacture of
29. The method of manufacture of
30. The method of manufacture of
31. The method of manufacture of
32. The method of manufacture of
33. The method of manufacture of
34. The method of manufacture of
35. The method of manufacture of
|
This application is a continuation application of copending U.S. application Ser. No. 12/580,140, filed Oct. 15, 2009, now U.S. Published Application US 2011/0093699 published on Apr. 12, 2011, the entire contents of which are incorporated herein by reference and is relied upon for claiming the benefit of priority.
1. Field of the Invention
The present invention relates in general to computers, and more particularly to a system and method of communication between components in a storage system.
2. Description of the Related Art
Computers and computer systems are found in a variety of settings in today's society. Computing environments and networks may be found at home, at work, at school, in government, and in other settings. Computing environments increasingly store data in one or more storage environments apart from the interface that computer users typically associate. In many cases, the storage environments are located across wide area networks (WANs), in which data is sent to/received from a storage system located remotely from the host.
Storage systems provide data redundancy and greater capacity for storage. As data processing and storage needs increase, storage systems are used with greater frequency. Storage systems contain a variety of interconnected components that allow access, control, and communication between a network of storage devices and the host.
In storage system components such as those in the IBM® DS8000 and DS6000 storage systems, communication between the ESSNI (enterprise storage server network interface) server and the NI (network interface) agent running in each central electronic complex (CEC) of a CEC storage controller is performed via transport control protocol/internet protocol (TCP/IP) sockets. These sockets are opened at startup time, and the connection remains active as long as the NI agent is running. The communication path is bidirectional. The communication path is used to send requests from the ESSNI server to a microcode layer that processes the respective request. Microcode layers use the communication path to send events to ESSNI client applications.
For requests from ESSNI client applications to a microcode layer that will process the request, the NI server will send the request to a device driver/device adapter (DA) using a Kernel Pipe Interface (K-Pipe). The operating system (OS) will receive the request from the driver and forward the request to different microcode layers resident in a respective CEC kernel. For events from a microcode layer to the ESSNI client application that will process the event, the OS will send the event through the Kernel Pipe Interface to the NI agent. The NI agent will then route the event to the ESSNI client application through the communication path.
To provide encryption support in storage systems such as the DS8000 system previously described, the DA kernel level microcode in a respective CEC kernel requires communication with a Key Manager (KM) through a Hardware Management Console (HMC) on which the NI server is operable. From the CEC kernel, the DA has no knowledge or direct communication paths to one or more configured KMs or HMCs. However, in situations such as startup, it is necessary for the DA to establish communication with the KM. In some storage systems, considerations of redundancy result in multiple HMCs/KMs in a particular configuration. Any number of these components may be available at any one time.
In light of the foregoing, a need exists for an efficient system and method of communication whereby a CEC kernel may initiate communications with a KM through a HMC, and whereby configurations of multiple KMs/HMCs may be accessed, to provide data pursuant to encryption support. The system and method should be compatible with existing standards and make use of existing system resources to make an implementation cost-effective and efficient.
Accordingly, various system, computer program product, and method embodiments for communication between the CEC kernel and the KM through a HMC are provided. In one such embodiment, by way of example only, an event request is initiated by the kernel to the KM to execute an event flow. Pursuant to a communication request by the kernel to the HMC, a socket of the HMC is opened along a communication path between the KM and the kernel according to an event flow suborder type selected by the kernel for the event flow. Pursuant to a data request by the kernel to the KM, data including a data payload is sent by the KM to the kernel, the data payload corresponding to an additional selected event flow suborder type.
Additional exemplary system, method, and computer program product embodiments are disclosed and provide related advantages.
In order that the advantages of the invention will be readily understood, a more particular description of the invention briefly described above will be rendered by reference to specific embodiments that are illustrated in the appended drawings. Understanding that these drawings depict only typical embodiments of the invention and are not therefore to be considered to be limiting of its scope, the invention will be described and explained with additional specificity and detail through the use of the accompanying drawings, in which:
The illustrated embodiments provide an efficient, novel event type (having multiple sub-event types). This event type facilitates a data flow initiated and driven by the CEC kernel (specifically the DA-KM module operable on the kernel) to communicate with an applicable external KM through a HMC's NI to provide encryption support. Once communication is established, a data request made by the kernel to the KM results in the delivery of a data payload. This data payload may include session key information sufficient for the kernel to operate, for example. The data and corresponding data payload may vary according to the data request of the kernel and the particular event suborder type selected by the KM to provide encryption support. The NI receives the initiated event from the kernel, and facilitates communication to a particular KM, but retains no knowledge about the event flow. Because the NI is not obligated to retain such information, the overall design, structure and execution of the event type are simplified.
Kernel 22 is operable on storage server 12 as shown. Kernel 22 includes a CPSSDD module 24 inclusive of a DA-KM module (a subcomponent of the DA) 28, a CLIC module 30, and a DA-ASM module 32, providing device adapter control and interface functionality between storage devices 40 collectively shown as a grouping of disk drive modules (DDMs). Intercommunication between the CLIC module 30 and the DA-KM module 28 is shown by arrow 36. Similarly, intercommunication between the DA-ASM module 32 and the DA-KM module 28 is shown by arrow 34. The DA-ASM module 34 provides communication between the CPSSDD module 24 and the grouping of DDMs 40 as shown by arrow 38. In one embodiment, modules 24, 28, 30, and 32 may be implemented in whole, in part, or associated in various ways with microcode and/or microcode layers in the kernel 22. The microcode layers are used in conjunction with the kernel 22 to execute tasks, provide communication, interface with other components, and the like as one of ordinary skill in the art will appreciate.
CPSSDD module 24 utilizes Kernel Pipe Interface 20 to provide communication between the kernel 24 and CPSSDD interface 16. CPSSDD interface provides an additional communications interface between the kernel 22 and ESSSNI agent 14. ESSNI 14 then provides communication using TCP/IP communication link 42 to HMC 44 and NI server 46. As one of ordinary skill in the art will appreciate, HMC 44 includes a number of communication ports/sockets to facilitate the TCP/IP communication 42 and 48 through the NI server 46 to the KM 50. To this regard, HMC 44 is adapted for opening and closing a particular communication socket pursuant to such a request. This process will be further described following. In the depicted embodiment, ESSNI 14 is designated to be an event receiver. In other words, the ESSNI 14 receives an event (herein also described as a call, communication request, data request, etc.) from the CPSSDD module 24 in kernel 22.
One of ordinary skill in the art will appreciate that variations to the depicted configuration of storage server 12, HMC 44 and KM 50 may be implemented. For example, in many configurations of storage servers 12, additional servers 12, HMCs 44 and associated KMs 50 may be connected across TCP/IP communication paths to provide for redundancy and the like. Accordingly, the mechanisms of the present invention are contemplated to apply to configurations of one or several HMCs connected to one or several KMs across a possible number of communications paths.
Turning now to
The kernel then provides a configuration request to the NI to obtain a list of all HMCs and KM configured within a particular storage complex (i.e., those storage components affiliated with the kernel in a particular configuration) (step 208). In response, the NI provides an acknowledgement with a list of all configured HMCs and KMs (step 210).
Once the particular storage configuration is ascertained, the kernel provides a communication command to close all open communications sockets on all configured HMCs (step 212). This may be due, in part, to a previous event flow that may have failed warranting a clean up process to be further described. In response, the NI closes all open sockets and provides an acknowledgement (step 214). The kernel prepares to specifically contact the KM by providing an additional communications command (“open socket”) to a specified KM through a particular HMC in the storage complex (step 216). In response, the NI opens the socket to the particular KM on the specified HMC, and provides an acknowledgement (step 218).
If the acknowledgement received from the HMC indicates that the open socket operation was a success (step 220), then the method 200 proceeds to step 232 as will be described below. If this is not the case, then the kernel changes to the next available TCP/IP communication path (step 222) and retries providing the open socket command (again, step 216) where the NI opens the socket and again provides a return acknowledgment (again, step 218). If no working paths are identified (step 224), then the KM calls the EPL library with a failure flag to initiate performance of a clean up operation (step 226). The EPL library performs the clean up operation and calls the KM callback function with an error (step 228). The KM then calls the kernel with this error (step 230), and the method 200 returns to step 204.
If the open socket is successful as previously described, the method 200 proceeds to step 232, where the kernel provides a send data command on the previously opened socket. In response, the NI sends data, including data payload information (which may contain session key information or other payload information pursuant to the event suborder type selected by the kernel) from the KM through the NI/HMC to the kernel (step 234). If additional data is to be received (step 236), in which additional send data requests are sent pursuant to additional event suborder types, then additional data information/data payload information is sent from the KM through the NI/HMC to the kernel (again, step 234). Once all of the relevant data is retrieved by the kernel from the KM, the kernel provides a close socket command to close the opened socket (step 238), and pursuant to the close socket request, the NI closes the open socket and provides an acknowledgement (step 240). The kernel then initiates providing a backup command to backup the retrieved key information on the HMC (step 242). The NI backs up the key information to a file, and provides an acknowledgement (step 244). The method 200 then ends (step 246).
Turning now to
As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
Any combination of one or more computer readable medium(s) may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wired, optical fiber cable, RF, etc., or any suitable combination of the foregoing. Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
Aspects of the present invention have been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks. The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and block diagrams in the above figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
While one or more embodiments of the present invention have been illustrated in detail, one of ordinary skill in the art will appreciate that modifications and adaptations to those embodiments may be made without departing from the scope of the present invention as set forth in the following claims.
Ward, Matthew J., Lovrien, Kurt A., Martinez, Richard K., Omoniyi, Oladimeji O.
Patent | Priority | Assignee | Title |
10409999, | Oct 15 2009 | International Business Machines Corporation | Communication between key manager and storage subsystem kernel via management console |
9275243, | Oct 15 2009 | International Business Machines Corporation | Communication between key manager and storage subsystem kernel via management console |
9569629, | Oct 15 2009 | International Business Machines Corporation | Communication between key manager and storage subsystem kernel via management console |
Patent | Priority | Assignee | Title |
5029206, | Dec 27 1989 | GENERAL DYNAMICS C4 SYSTEMS, INC | Uniform interface for cryptographic services |
5276735, | Apr 17 1992 | Secure Computing Corporation | Data enclave and trusted path system |
5530758, | Jun 03 1994 | GENERAL DYNAMICS C4 SYSTEMS, INC | Operational methods for a secure node in a computer network |
5978578, | Jan 30 1997 | Openbus system for control automation networks | |
6473794, | May 27 1999 | Accenture Global Services Limited | System for establishing plan to test components of web based framework by displaying pictorial representation and conveying indicia coded components of existing network framework |
6535929, | Jul 02 1996 | Oracle America, Inc | Universal communication mechanism for applications running in a multitasking environment |
7921286, | Nov 14 2007 | Microsoft Technology Licensing, LLC | Computer initialization for secure kernel |
20080077909, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Jun 25 2012 | International Business Machines Corporation | (assignment on the face of the patent) | / |
Date | Maintenance Fee Events |
Jul 18 2017 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Nov 08 2021 | REM: Maintenance Fee Reminder Mailed. |
Apr 25 2022 | EXP: Patent Expired for Failure to Pay Maintenance Fees. |
Date | Maintenance Schedule |
Mar 18 2017 | 4 years fee payment window open |
Sep 18 2017 | 6 months grace period start (w surcharge) |
Mar 18 2018 | patent expiry (for year 4) |
Mar 18 2020 | 2 years to revive unintentionally abandoned end. (for year 4) |
Mar 18 2021 | 8 years fee payment window open |
Sep 18 2021 | 6 months grace period start (w surcharge) |
Mar 18 2022 | patent expiry (for year 8) |
Mar 18 2024 | 2 years to revive unintentionally abandoned end. (for year 8) |
Mar 18 2025 | 12 years fee payment window open |
Sep 18 2025 | 6 months grace period start (w surcharge) |
Mar 18 2026 | patent expiry (for year 12) |
Mar 18 2028 | 2 years to revive unintentionally abandoned end. (for year 12) |